Nathalie Bertrand,Pranav Ghorpade,Sasha Rubin,Bernhard Scholz,Pavle Subotic

2024-07-02

Abstract:DAG-based consensus protocols are being adoption by blockchain companies to decrease energy footprints and improve security. A DAG-based consensus protocol collaboratively constructs a partial order of blocks of transactions and produces linearly ordered blocks. The ubiquity and strategic importance of blockchains call for formal proof of the correctness of key components, namely, consensus protocols. This paper presents a safety-proven formal specification of two DAG-based protocols. Our specification highlights several dissemination, DAG construction, and ordering variations that can be combined to express the two protocols. The formalization requires a refinement approach for modeling the consensus. In an abstract model, we first show the safety of DAG-based consensus on leader blocks and then further refine the specification to encompass all blocks for all processes. The TLA+ specification for a given protocol consists of 492-732 lines, and the proof system TLAPS verifies 2025-2294 obligations in 6-8 minutes.

Logic in Computer Science,Distributed, Parallel, and Cluster Computing,Software Engineering

Xiaosong Gu,Wei Cao,Yicong Zhu,Xuan Song,Yu Huang,Xiaoxing Ma

DOI: https://doi.org/10.48550/arXiv.2202.11385

2022-02-23

Abstract:Consensus protocols are widely used in building reliable distributed software systems and its correctness is of vital importance. TLA+ is a lightweight formal specification language which enables precise specification of system design and exhaustive checking of the design without any human effort. The features of TLA+ make it widely used in the specification and model checking of consensus protocols, both in academia and industry. However, the application of TLA+ is limited by the state explosion problem in model checking. Though compositional model checking is essential to tame the state explosion problem, existing compositional checking techniques do not sufficiently consider the characteristics of TLA+. In this work, we propose the Interaction-Preserving Abstraction (IPA) framework, which leverages the features of TLA+ and enables practical and efficient compositional model checking of consensus protocols specified in TLA+. In the IPA framework, system specification is partitioned into multiple modules, and each module is divided to the internal part and the interaction part. The basic idea of the interaction-preserving abstraction is to omit the internal part of each module, such that another module cannot distinguish whether it is interacting with the original module or the coarsened abstract one. We use the IPA framework to the compositional checking of the TLA+ specification of two consensus protocols Raft and ParallelRaft. Raft is a consensus protocol which is originally developed in the academia and then widely used in industry. ParallelRaft is the replication protocol in PolarFS, the distributed file system for the commercial database Alibaba PoloarDB. We demonstrate that the IPA framework is easy to use in realistic scenarios and at the same time significantly reduces the model checking cost.

Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory

Kaustuv Chaudhuri,Damien Doligez,Leslie Lamport,Stephan Merz

DOI: https://doi.org/10.1007/978-3-642-14203-1_12

2010-11-11

Abstract:TLAPS, the TLA+ proof system, is a platform for the development and mechanical verification of TLA+ proofs written in a declarative style requiring little background beyond elementary mathematics. The language supports hierarchical and non-linear proof construction and verification, and it is independent of any verification tool or strategy. A Proof Manager uses backend verifiers such as theorem provers, proof assistants, SMT solvers, and decision procedures to check TLA+ proofs. This paper documents the first public release of TLAPS, distributed with a BSD-like license. It handles almost all the non-temporal part of TLA+ as well as the temporal reasoning needed to prove standard safety properties, in particular invariance and step simulation, but not liveness properties.

Logic in Computer Science

Hugues Evrard

DOI: https://doi.org/10.4204/EPTCS.316.2

2020-04-28

Abstract:Consensus protocols are crucial for reliable distributed systems as they let them cope with network and server failures. For decades, most consensus protocols have been designed as variations of the seminal Paxos, yet in 2014 Raft was presented as a new, "understandable" protocol, meant to be easier to implement than the notoriously subtle Paxos family. Raft has since been used in various industrial projects, e.g. Hashicorp's Consul or etcd (used by Google's Kubernetes). The correctness of Raft is established via a manual proof, based on a TLA+ specification of the protocol. This paper reports our experience in modeling Raft in the LNT process algebra. We found a couple of issues with the original TLA+ specification of Raft, which has been corrected since. More generally, this exercise offers a great opportunity to discuss how to best use the features of the LNT formal language and the associated CADP verification toolbox to model distributed protocols, including network and server failures.

Software Engineering,Distributed, Parallel, and Cluster Computing

Xiaosong Gu,Wei Cao,Yicong Zhu,Xuan Song,Yu Huang,Xiaoxing Ma

DOI: https://doi.org/10.1109/srds55811.2022.00018

2022-01-01

Abstract:Consensus protocols are widely used in building reliable distributed software systems and their correctness is of vital importance. TLA+ is a lightweight formal specification language which enables precise specification of system design and exhaustive checking of the design without any human effort. The features of TLA+ make it widely used in the specification and model checking of consensus protocols, both in academia and in industry. However, the application of TLA+ is limited by the state explosion problem in model checking. Though compositional model checking is essential to tame the state explosion problem, existing compositional checking techniques do not sufficiently consider the characteristics of TLA+. In this work, we propose the Interaction-Preserving Abstraction (IPA) framework, which leverages the features of TLA+ and enables practical and efficient compositional model checking of consensus protocols specified in TLA+. In the IPA framework, system specification is partitioned into multiple modules, and each module is divided into the internal part and the interaction part. The basic idea of the interaction-preserving abstraction is to omit the internal part of each module, such that another module cannot distinguish whether it is interacting with the original module or the coarsened abstract one. We apply the IPA framework to the compositional checking of the TLA+ specifications of two consensus protocols Raft and ParallelRaft. Raft is a consensus protocol which was originally developed in academia and then widely used in industry. ParallelRaft is the replication protocol in PolarFS, the distributed file system for the commercial database Alibaba PolarDB. We demonstrate that the IPA framework is easy to use in realistic scenarios and at the same time significantly reduces the model checking cost.

William Schultz,Edward Ashton,Heidi Howard,Stavros Tripakis

2024-04-28

Abstract:Many techniques for automated inference of inductive invariants for distributed protocols have been developed over the past several years, but their performance can still be unpredictable and their failure modes opaque for large-scale verification tasks. In this paper, we present inductive proof slicing, a new automated, compositional technique for inductive invariant inference that scales effectively to large distributed protocol verification tasks. Our technique is built on a core, novel data structure, the inductive proof graph, which explicitly represents the lemma and action dependencies of an inductive invariant and is built incrementally during the inference procedure, backwards from a target safety property. We present an invariant inference algorithm that integrates localized syntax-guided lemma synthesis routines at nodes of this graph, which are accelerated by computation of localized grammar and state variable slices. Additionally, in the case of failure to produce a complete inductive invariant, maintenance of this proof graph structure allows failures to be localized to small sub-components of this graph, enabling fine-grained failure diagnosis and repair by a user. We evaluate our technique on several complex distributed and concurrent protocols, including a large scale specification of the Raft consensus protocol, which is beyond the capabilities of modern distributed protocol verification tools, and also demonstrate how its interpretability features allow effective diagnosis and repair in cases of initial failure.

Distributed, Parallel, and Cluster Computing,Logic in Computer Science

Leander Jehl

DOI: https://doi.org/10.1007/978-3-030-78089-0_13

2021-01-01

Abstract:HotStuff is a recent algorithm for repeated distributed consensus used in permissioned blockchains. We present a simplified version of the HotStuff algorithm and verify its safety using both Ivy and the TLA Proof Systems tools.We show that HotStuff deviates from the traditional view-instance model used in other consensus algorithms and instead follows a novel tree model to solve this fundamental problem. We argue that the tree model results in more complex verification tasks than the traditional view-instance model. Our verification efforts provide initial evidence towards this claim.

Igor Konnov,Markus Kuppe,Stephan Merz

DOI: https://doi.org/10.48550/arXiv.2211.07216

2022-11-14

Logic in Computer Science

Abstract:Using an algorithm due to Safra for distributed termination detection as a running example, we present the main tools for verifying specifications written in TLA+. Examining their complementary strengths and weaknesses, we suggest a workflow that supports different types of analysis and that can be adapted to the desired degree of confidence.

Chih-Duo Hong,Anthony W. Lin

DOI: https://doi.org/10.1145/3632864

2024-01-05

Abstract:Verifying safety and liveness over array systems is a highly challenging problem. Array systems naturally capture parameterized systems such as distributed protocols with an unbounded number of processes. Such distributed protocols often exploit process IDs during their computation, resulting in array systems whose element values range over an infinite domain. In this paper, we develop a novel framework for proving safety and liveness over array systems. The crux of the framework is to overapproximate an array system as a string rewriting system (i.e. over a finite alphabet) by means of a new predicate abstraction that exploits the so-called indexed predicates. This allows us to tap into powerful verification methods for string rewriting systems that have been heavily developed in the last few decades (e.g. regular model checking). We demonstrate how our method yields simple, automatically verifiable proofs of safety and liveness properties for challenging examples, including Dijkstra's self-stabilizing protocol and the Chang-Roberts leader election protocol.

Software Engineering,Logic in Computer Science

Michael Lambert

DOI: https://doi.org/10.48550/arXiv.2111.07461

2021-11-15

Abstract:This paper presents a reformulation in topos logic of a safety result arising in an abstract presentation of blockchain consensus protocols. That is, in a high-level template for "correct-by-construction" consensus protocols, it is shown that a proposition and its negation cannot both be safe in protocol states that have executions to some common state. This is in fact true for any inconsistent propositions and the proof requires only intuitionistic reasoning. This opens the door for work on consensus protocols in the internal language of a topos. As a first pass on such a program, the main contribution of this paper is the formulation of estimate safety in abstract correct-by-construction protocols as a forcing statement in the internal logic of a given topos. This is illustrated first in the setting of copresheaf toposes. It is also seen there that safety can be viewed as a modal statement. For these interpretations, some extensions and adaptations of results in the literature on modal operators in toposes are presented. The final reformulation of estimate safety is a completely elementary version in the language of an arbitrary topos where it is seen that estimate safety is equivalent to a certain forcing statement.

Category Theory

William Schultz,Ian Dardik,Stavros Tripakis

DOI: https://doi.org/10.48550/arXiv.2205.06360

2022-10-01

Abstract:We present a new technique for automatically inferring inductive invariants of parameterized distributed protocols specified in TLA+. Ours is the first such invariant inference technique to work directly on TLA+, an expressive, high level specification language. To achieve this, we present a new algorithm for invariant inference that is based around a core procedure for generating plain, potentially non-inductive lemma invariants that are used as candidate conjuncts of an overall inductive invariant. We couple this with a greedy lemma invariant selection procedure that selects lemmas that eliminate the largest number of counterexamples to induction at each round of our inference procedure. We have implemented our algorithm in a tool, endive, and evaluate it on a diverse set of distributed protocol benchmarks, demonstrating competitive performance and ability to uniquely solve an industrial scale reconfiguration protocol.

Logic in Computer Science,Distributed, Parallel, and Cluster Computing

Marius Bozga,Radu Iosif,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.1902.02696

2019-02-07

Abstract:We consider concurrent systems consisting of a finite but unknown number of components, that are replicated instances of a given set of finite state automata. The components communicate by executing interactions which are simultaneous atomic state changes of a set of components. We specify both the type of interactions (e.g.\ rendez-vous, broadcast) and the topology (i.e.\ architecture) of the system (e.g.\ pipeline, ring) via a decidable interaction logic, which is embedded in the classical weak sequential calculus of one successor (WS1S). Proving correctness of such system for safety properties, such as deadlock freedom or mutual exclusion, requires the inference of an inductive invariant that subsumes the set of reachable states and avoids the unsafe states. Our method synthesizes such invariants directly from the formula describing the interactions, without costly fixed point iterations. We applied our technique to the verification of several textbook examples, such as dining philosophers, mutual exclusion protocols and concurrent systems with preemption and priorities.

Formal Languages and Automata Theory

Yepeng Ding,Hiroyuki Sato

DOI: https://doi.org/10.48550/arXiv.2008.08245

2020-08-19

Abstract:Decentralized techniques are becoming crucial and ubiquitous with the rapid advancement of distributed ledger technologies such as the blockchain. Numerous decentralized systems have been developed to address security and privacy issues with great dependability and reliability via these techniques. Meanwhile, formalization and verification of the decentralized systems is the key to ensuring correctness of the design and security properties of the implementation. In this paper, we propose a novel method of formalizing and verifying decentralized systems with a kind of extended concurrent separation logic. Our logic extends the standard concurrent separation logic with new features including communication encapsulation, environment perception, and node-level reasoning, which enhances modularity and expressiveness. Besides, we develop our logic with unitarity and compatibility to facilitate implementation. Furthermore, we demonstrate the effectiveness and versatility of our method by applying our logic to formalize and verify critical techniques in decentralized systems including the consensus mechanism and the smart contract.

Distributed, Parallel, and Cluster Computing,Logic in Computer Science

Horatiu Cirstea,Markus A. Kuppe,Benjamin Loillier,Stephan Merz

2024-09-18

Abstract:TLA+ is a formal language for specifying systems, including distributed algorithms, that is supported by powerful verification tools. In this work we present a framework for relating traces of distributed programs to high-level specifications written in TLA+. The problem is reduced to a constrained model checking problem, realized using the TLC model checker. Our framework consists of an API for instrumenting Java programs in order to record traces of executions, of a collection of TLA+ operators that are used for relating those traces to specifications, and of scripts for running the model checker. Crucially, traces only contain updates to specification variables rather than full values, and developers may choose to trace only certain variables. We have applied our approach to several distributed programs, detecting discrepancies between the specifications and the implementations in all cases. We discuss reasons for these discrepancies, best practices for instrumenting programs, and how to interpret the verdict produced by TLC.

Programming Languages,Software Engineering

Yu-Fang Chen,Chih-Duo Hong,Anthony W. Lin,Philipp Ruemmer

DOI: https://doi.org/10.48550/arXiv.1709.07139

2017-10-03

Abstract:We revisit the classic problem of proving safety over parameterised concurrent systems, i.e., an infinite family of finite-state concurrent systems that are represented by some finite (symbolic) means. An example of such an infinite family is a dining philosopher protocol with any number n of processes (n being the parameter that defines the infinite family). Regular model checking is a well-known generic framework for modelling parameterised concurrent systems, where an infinite set of configurations (resp. transitions) is represented by a regular set (resp. regular transducer). Although verifying safety properties in the regular model checking framework is undecidable in general, many sophisticated semi-algorithms have been developed in the past fifteen years that can successfully prove safety in many practical instances. In this paper, we propose a simple solution to synthesise regular inductive invariants that makes use of Angluin's classic L* algorithm (and its variants). We provide a termination guarantee when the set of configurations reachable from a given set of initial configurations is regular. We have tested L* algorithm on standard (as well as new) examples in regular model checking including the dining philosopher protocol, the dining cryptographer protocol, and several mutual exclusion protocols (e.g. Bakery, Burns, Szymanski, and German). Our experiments show that, despite the simplicity of our solution, it can perform at least as well as existing semi-algorithms.

Logic in Computer Science,Formal Languages and Automata Theory,Programming Languages

Abbas Tariverdi,Jim Torresen

2023-08-20

Abstract:In this paper, we introduce a novel adaptation of the Raft consensus algorithm for achieving emergent formation control in multi-agent systems with a single integrator dynamics. This strategy, dubbed "Rafting," enables robust cooperation between distributed nodes, thereby facilitating the achievement of desired geometric configurations. Our framework takes advantage of the Raft algorithm's inherent fault tolerance and strong consistency guarantees to extend its applicability to distributed formation control tasks. Following the introduction of a decentralized mechanism for aggregating agent states, a synchronization protocol for information exchange and consensus formation is proposed. The Raft consensus algorithm combines leader election, log replication, and state machine application to steer agents toward a common, collaborative goal. A series of detailed simulations validate the efficacy and robustness of our method under various conditions, including partial network failures and disturbances. The outcomes demonstrate the algorithm's potential and open up new possibilities in swarm robotics, autonomous transportation, and distributed computation. The implementation of the algorithms presented in this paper is available at <a class="link-external link-https" href="https://github.com/abbas-tari/raft.git" rel="external noopener nofollow">this https URL</a>.

Multiagent Systems

Parth Bora,Pham Duc Minh,Tim A.C. Willemse

DOI: https://doi.org/10.4204/EPTCS.399.4

2024-03-28

Abstract:The consensus problem is a fundamental problem in distributed systems. It involves a set of actors, or entities, that need to agree on some values or decisions. The Raft algorithm is a solution to the consensus problem that has gained widespread popularity as an easy-to-understand and implement alternative to Lamport's Paxos algorithm. In this paper we discuss a formalisation of the Raft algorithm and its associated correctness properties in the mCRL2 specification language.

Logic in Computer Science,Distributed, Parallel, and Cluster Computing,Software Engineering

Aman Goel,Karem A. Sakallah

DOI: https://doi.org/10.34727/2021/isbn.978-3-85448-046-4_20

2021-08-20

Abstract:Lamport's celebrated Paxos consensus protocol is generally viewed as a complex hard-to-understand algorithm. Notwithstanding its complexity, in this paper, we take a step towards automatically proving the safety of Paxos by taking advantage of three structural features in its specification: spatial regularity in its unordered domains, temporal regularity in its totally-ordered domain, and its hierarchical composition. By carefully integrating these structural features in IC3PO, a novel model checking algorithm, we were able to infer an inductive invariant that identically matches the human-written one previously derived with significant manual effort using interactive theorem proving. While various attempts have been made to verify different versions of Paxos, to the best of our knowledge, this is the first demonstration of an automatically-inferred inductive invariant for Lamport's original Paxos specification. We note that these structural features are not specific to Paxos and that IC3PO can serve as an automatic general-purpose protocol verification tool.

Logic in Computer Science,Distributed, Parallel, and Cluster Computing,Formal Languages and Automata Theory

Jiaqi Chen,Shlomi Dolev,Shay Kutten

DOI: https://doi.org/10.48550/arXiv.2011.02224

2020-11-04

Abstract:We generalize the definition of Proof Labeling Schemes to reactive systems, that is, systems where the configuration is supposed to keep changing forever. As an example, we address the main classical test case of reactive tasks, namely, the task of token passing. Different RPLSs are given for the cases that the network is assumed to be a tree or an anonymous ring, or a general graph, and the sizes of RPLSs' labels are analyzed. We also address the question of whether an RPLS exists. First, on the positive side, we show that there exists an RPLS for any distributed task for a family of graphs with unique identities. For the case of anonymous networks (even for the special case of rings), interestingly, it is known that no token passing algorithm is possible even if the number n of nodes is known. Nevertheless, we show that an RPLS is possible. On the negative side, we show that if one drops the assumption that n is known, then the construction becomes impossible.

Distributed, Parallel, and Cluster Computing

Linard Arquint,Felix A. Wolf,Joseph Lallemand,Ralf Sasse,Christoph Sprenger,Sven N. Wiesner,David Basin,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2212.04171

2022-12-08

Abstract:We provide a framework consisting of tools and metatheorems for the end-to-end verification of security protocols, which bridges the gap between automated protocol verification and code-level proofs. We automatically translate a Tamarin protocol model into a set of I/O specifications expressed in separation logic. Each such specification describes a protocol role's intended I/O behavior against which the role's implementation is then verified. Our soundness result guarantees that the verified implementation inherits all security (trace) properties proved for the Tamarin model. Our framework thus enables us to leverage the substantial body of prior verification work in Tamarin to verify new and existing implementations. The possibility to use any separation logic code verifier provides flexibility regarding the target language. To validate our approach and show that it scales to real-world protocols, we verify a substantial part of the official Go implementation of the WireGuard VPN key exchange protocol.

Cryptography and Security,Programming Languages